Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick ca32852e4f and 40bb7a43b2 from angle #33222

Merged
merged 2 commits into from Mar 23, 2022
Merged

chore: cherry-pick ca32852e4f and 40bb7a43b2 from angle #33222

merged 2 commits into from Mar 23, 2022

Conversation

ppontes
Copy link
Member

@ppontes ppontes commented Mar 10, 2022

M99: Vulkan: Prevent out of bounds read in divisor emulation path.

Split the replicated part of StreamVertexData out to
StreamVertexDataWithDivisor, there is only a partial argument
overlap between the two.

Bug: chromium:1285885
Change-Id: Ibf6ab3efc6b12b430b1d391c6ae61bd9668b4407
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3398816
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Commit-Queue: Roman Lavrov <romanl@google.com>
(cherry picked from commit 5f0badf4541ba52659c937cfe9190d3735a76c10)
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3461414

====================

M99: Vulkan: StreamVertexDataWithDivisor write beyond buffer boundary

StreamVertexDataWithDivisor() function is advancing dst with dstStride,
but then later on it is treating dst as if it never advanced, thus
result in write out of buffer boundary. This was hidden by VMA's memory
suballocation, which means it may result in some rendering artifacts.

Bug: angleproject:6990
Change-Id: Ic91e917cedd247dfe85b12a69ae26b21b7a4e67a
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3445528
Reviewed-by: Roman Lavrov <romanl@google.com>
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Charlie Lao <cclao@google.com>
(cherry picked from commit 5204587698099207ce8ae70779ef44ffae877996)
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3461417
Reviewed-by: Charlie Lao <cclao@google.com>
Commit-Queue: Roman Lavrov <romanl@google.com>

Notes: Security: backported fix for CVE-2022-0792.

@ppontes ppontes added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 15-x-y labels Mar 10, 2022
@ppontes ppontes requested review from a team as code owners March 10, 2022 18:01
@ppontes ppontes force-pushed the cherry-pick/15-x-y/angle/ca32852e4f branch from 99fccc9 to 0e792fb Compare March 10, 2022 18:03
@jkleinsc jkleinsc merged commit 2f28e10 into 15-x-y Mar 23, 2022
@jkleinsc jkleinsc deleted the cherry-pick/15-x-y/angle/ca32852e4f branch March 23, 2022 00:11
@release-clerk
Copy link

release-clerk bot commented Mar 23, 2022

Release Notes Persisted

Security: backported fix for CVE-2022-0792.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkleinsc jkleinsc jkleinsc approved these changes

Assignees
No one assigned
Labels
15-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ppontes @jkleinsc @electron-bot